b'Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n  NOT ALL RECOMMENDED\n  FRAUD SAFEGUARDS HAVE\n   BEEN IMPLEMENTED IN\n      HOSPITAL EHR\n       TECHNOLOGY\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                     December 2013\n                     OEI-01-11-00570\n\x0cEXECUTIVE SUMMARY: Not All Recommended Safeguards Have Been\nImplemented in Hospital EHR Technology\nOEI-01-11-00570\n\nWHY WE DID THIS STUDY\nElectronic health records (EHRs) replace traditional paper medical records with\ncomputerized recordkeeping to document and store patient health information. Experts in\nhealth information technology caution that EHR technology can make it easier to commit\nfraud. The Office of the National Coordinator for Health Information Technology\n(ONC), which coordinates the adoption, implementation, and exchange of EHRs,\ncontracted with RTI International (RTI) to develop recommendations to enhance data\nprotection; increase data validity, accuracy, and integrity; and strengthen fraud protection\nin EHR technology. This study determined how hospitals that received EHR Medicare\nincentive payments, administered by the Centers for Medicare & Medicaid Services\n(CMS), had implemented recommended fraud safeguards for EHR technology.\n\nHOW WE DID THIS STUDY\nWe administered an online questionnaire to the 864 hospitals that received Medicare\nincentive payments as of March 2012. The questionnaire focused on the presence of\nfeatures and capabilities in Certified EHR Technology based on the RTI-recommended\nsafeguards regarding audit functions, EHR user authorization and access, and EHR data\ntransfer. We also conducted onsite structured interviews with hospital staff and observed\na demonstration of the hospitals\xe2\x80\x99 Certified EHR Technology in eight hospitals. Finally,\nwe conducted structured surveys with four EHR vendors and asked them the extent to\nwhich they had incorporated recommended fraud safeguards into their products.\n\nWHAT WE FOUND\nNearly all hospitals with EHR technology had RTI-recommended audit functions in\nplace, but they may not be using them to their full extent. In addition, all hospitals\nemployed a variety of RTI-recommended user authorization and access controls. Nearly\nall hospitals were using RTI-recommended data transfer safeguards. Almost half of\nhospitals had begun implementing RTI-recommended tools to include patient\ninvolvement in anti-fraud efforts. Finally, only about one quarter of hospitals had\npolicies regarding the use of the copy-paste feature in EHR technology, which, if used\nimproperly, could pose a fraud vulnerability.\n\nWHAT WE RECOMMEND\nWe recommend that audit logs be operational whenever EHR technology is available for\nupdates or viewing. We also recommend that ONC and CMS strengthen their\ncollaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in\nEHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste\nfeature in EHR technology. CMS and ONC concurred with all of our recommendations.\n\x0cTABLE OF CONTENTS\n\nObjectives ....................................................................................................1 \n\nBackground ..................................................................................................1 \n\nMethodology ................................................................................................7 \n\nFindings........................................................................................................9 \n\n     Nearly all hospitals with EHR technology had RTI-recommended \n\n     audit functions in place, but they may not be using them to their full \n\n     extent......................................................................................................9 \n\n\n     All hospitals employed a variety of RTI-recommended user \n\n     authorization and access controls.........................................................12 \n\n\n     Nearly all hospitals were using RTI-recommended data transfer \n\n     safeguards ............................................................................................13 \n\n     Almost half of hospitals had begun implementing \n\n     RTI-recommended tools to include patient involvement in \n\n     anti-fraud efforts ..................................................................................13 \n\n\n     Only about one quarter of hospitals had policies regarding the \n\n     use of the copy-paste feature in EHR technology ................................14 \n\n\nConclusion and Recommendations ............................................................15 \n\n\n     Agency comments and Office of Inspector General response .............17 \n\n\nAppendixes ................................................................................................18 \n\n     A: RTI Recommendations and General Consistency With \n\n     ONC Certification Criteria or CMS Meaningful Use ..........................18 \n\n     B: Nonrespondent Analysis.................................................................20 \n\n     C: Agency Comments .........................................................................21 \n\nAcknowledgments......................................................................................26 \n\n\x0c                  OBJECTIVES\n                  1.\t To assess the extent to which hospitals that had received electronic\n                      health record (EHR) Medicare incentive payments implemented\n                      recommended fraud safeguards for EHR technology in the following\n                      categories:\n                           \xef\x82\xb7   audit functions, \n\n                           \xef\x82\xb7   user authorization and access controls,\n\n                           \xef\x82\xb7   data transfer standards, and \n\n                           \xef\x82\xb7   patient involvement in anti-fraud activity.\n\n                  2.\t To assess the extent to which hospitals had implemented policies to\n                      address inappropriate copy-paste in EHRs.\n\n                  BACKGROUND\n                  Electronic Health Records\n                  EHRs replace traditional paper medical records with computerized\n                  recordkeeping to document and store patient health information. EHRs\n                  may include patient demographics, progress notes, medications, medical\n                  history, and clinical test results from any health care encounter.1 Vendors\n                  create EHR technology that includes a variety of applications and tools for\n                  collecting, managing, and sharing patient information electronically and\n                  for clinical decisionmaking.\n                  Health Information Technology for Economic and Clinical\n                  Health Act\n                  The Health Information Technology for Economic and Clinical Health Act\n                  (HITECH) Act was enacted as part of the American Recovery and\n                  Reinvestment Act of 2009 (ARRA) to support the development of a\n                  nationwide health information technology infrastructure that allows for the\n                  electronic use and exchange of information.2 Its goal is to achieve\n                  widespread adoption of EHRs by 2014. The Office of the National\n                  Coordinator for Health Information Technology (ONC) coordinates the\n                  adoption, implementation, and exchange of EHRs.\n                  To encourage adoption and meaningful use of EHRs, ARRA also\n                  established the Medicare and Medicaid EHR incentive programs.3 Since\n\n                  1\n                    CMS, Electronic Health Records Overview. Accessed at http://www.cms.gov on Jan.\n\n                  11, 2011.\n\n                  2\n                    P.L. 111-5, Title XIII.\n\n                  3\n                    ARRA, Title IV, P.L. 111-5. \n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   1\n\x0c                  2011, the Centers for Medicare & Medicaid Services (CMS) has paid\n                  $13.5 billion in incentive payments to eligible professionals and hospitals\n                  that demonstrate meaningful use of Certified EHR Technology.4 Medicare\n                  professionals and hospitals will face payment adjustments under Medicare\n                  starting in 2015 for failing to successfully demonstrate meaningful use of\n                  Certified EHR Technology.5\n                  EHR Certification Criteria. Hospitals must use Certified EHR\n                  Technology to receive EHR incentive payments. Certified EHR\n                  Technology must be able to perform specified functions, such as enabling\n                  a user to electronically record, modify, and retrieve patient information.6\n                  ONC oversees the EHR certification process.\n                  Meaningful Use Criteria. Federal regulations established meaningful use\n                  measures for hospitals.7 These measures address EHR capabilities meant\n                  to improve health care quality and efficiency, such as computerized\n                  provider order entry, e-prescribing, and exchange of key clinical\n                  information. CMS is promulgating regulations specifying criteria to meet\n                  meaningful use in three stages.8 Stage 1 criteria set the baseline for\n                  electronic data capture and information sharing. CMS released Stage\n                  2 final rules in September 2012, which focus on advanced functionality of\n                  EHRs, including interoperability, patient engagement, clinical decision\n                  support, and quality measurement.9 CMS expects to propose\n                  Stage 3 criteria at a later date.\n                  EHR Fraud Vulnerabilities\n                  The full extent of health care fraud is unknown, but it is substantial. The\n                  annual cost of health care fraud is between $75 billion and $250 billion.\n                  These figures are based on CMS estimates of total health care\n                  expenditures in 2009.10 Experts in health information technology caution\n\n\n                  4\n                   CMS, Medicare and Medicaid Incentive Provider Payments by State. Program Type:\n                  January 2011-March 2013. Accessed at http://www.cms.gov on April 25, 2013. \n\n                  5\n                    See \xc2\xa7\xc2\xa7 1848(a)(7), 1853(l)(4), and 1886 (b)(3)(B), as enacted in ARRA. See also CMS, \n\n                  CMS Finalizes Requirements for the Medicare EHR Incentive Program. Accessed at \n\n                  http://www.cms.gov on Jan. 3, 2012. \n\n                  6\n                    45 CFR \xc2\xa7\xc2\xa7 170.302, 170.306, and 170.314. At the time of our review, hospitals were\n\n                  required to be certified as meeting the 2011 EHR Certification Criteria to receive EHR \n\n                  incentive payments. Beginning on October 1, 2013, hospitals must be certified as \n\n                  meeting the 2014 EHR Ceritfication Criteria to receive EHR incentive payments. \n\n                  7\n                    42 CFR Part 495.\n                  8\n                    CMS, EHR Meaningful Use Overview. Accessed at http://www.cms.gov on March 7,\n\n                  2012. See 42 CFR Part 495. \n\n                  9\n                    77 Fed. Reg. 53968 (Sept. 4, 2012). \n\n                  10\n                     CMS, National Health Expenditure Data. Accessed at http://www.cms.gov on Jan. 3,\n\n                  2012.\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   2\n\x0c                  that EHR technology can make it easier to commit fraud.11 Certain EHR\n                  documentation features, if poorly designed or used inappropriately, can\n                  result in poor data quality or fraud. Below we describe two examples of\n                  EHR documentation practices that could be used to commit fraud.\n                  Copy-Pasting. Copy-pasting, also known as cloning, allows users to\n                  select information from one source and replicate it in another location.12\n                  When doctors, nurses, or other clinicians copy-paste information but fail\n                  to update it or ensure accuracy, inaccurate information may enter the\n                  patient\xe2\x80\x99s medical record and inappropriate charges may be billed to\n                  patients and third-party health care payers. Furthermore, inappropriate\n                  copy-pasting could facilitate attempts to inflate claims and duplicate or\n                  create fraudulent claims.\n                  Overdocumentation. Overdocumentation is the practice of inserting false\n                  or irrelevant documentation to create the appearance of support for billing\n                  higher level services. Some EHR technologies auto-populate fields when\n                  using templates built into the system. Other systems generate extensive\n                  documentation on the basis of a single click of a checkbox, which if not\n                  appropriately edited by the provider, may be inaccurate. Such features can\n                  produce information suggesting the practitioner preformed more\n                  comprehensive services than were actually rendered.13\n                  Recommended EHR Fraud Management Safeguards\n                  In 2006, ONC contracted with RTI International (RTI) to develop\n                  recommendations to enhance data protection; increase data validity,\n                  accuracy, and integrity; and strengthen fraud protection in EHR\n                  technology. RTI convened industry experts, including providers, payers,\n                  and EHR technology vendors, to develop 14 functional recommendations\n                  that offer the highest benefit in reducing waste due to fraud and data\n                  inaccuracies.14 These recommendations addressed several types of\n                  vulnerabilities, including copy-paste and overdocumentation. RTI\n\n\n                  11\n                     Dougherty, Michelle. HIT Policy Committee Hearing on Clinical Documentation,\n                  February 13, 2013. Accessed at http://www.healthit.gov on March 19, 2013.\n                  12\n                     Association of American Medical Colleges, Compliance Officers\xe2\x80\x99 Forum. Appropriate\n                  Documentation in an EHR: Use of Information That Is Not Generated During the\n                  Encounter for Which the Claim Is Submitted: Copying/Importing/Scripts/Templates. July\n                  11, 2001.\n                  13\n                     Dougherty, Michelle. HIT Policy Committee Hearing on Clinical Documentation,\n                  February 13, 2013. Accessed at http://www.healthit.gov on March 19, 2013.\n                  14\n                     ONC, Recommended Requirements for Enhancing Data Quality in Electronic Health\n                  Record Systems. June 2007. Accessed at\n                  http://www.rti.org/pubs/enhancing_data_quality_in_ehrs.pdf on May 20, 2013.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   3\n\x0c                      reported that incorporating these 14 recommendations could increase data\n                      quality and reduce exposure to \xe2\x80\x9cnew and ever-evolving forms of\n                      electronically enabled health care fraud.\xe2\x80\x9d (See Table 1. Numbers in\n                      parentheses are the RTI recommendation numbers.)\n                      Usage policies and technology features could help prevent EHR fraud if\n                      used consistently. However, providers that use EHR technology can\n                      disable or bypass these features, potentially making them ineffective. For\n                      this analysis, we have grouped the 14 recommendations into categories of\n                      fraud safeguards, including: audit functions, user authentication and\n                      access controls, data transfer standards, and patient involvement in anti-\n                      fraud.\n\nTable 1: RTI Recommendations Grouped Into Fraud Safeguard Categories\n RTI Recommendations\n Audit Functions\n   1) Requires the use of an audit log function and specifies audit log operation and content for tracking EHR updates. (4.2.1)\n   2) Requires that the methods (i.e., copy/paste, direct entry, import) for any update to an EHR be documented and tracked.\n      (4.2.4)\n   3) Requires that the user ID of the original author be tracked when an EHR update is entered \xe2\x80\x9con behalf\xe2\x80\x9d of another author\n      (i.e., distinguish between entries made by an assistant and a provider). (4.2.6)\n   4) Requires that EHR technology be able to record and indicate the method used to confirm patient identity (i.e., photo\n      identification, prior relationship). (4.2.11)\n   5) Requires that original EHR documents be retained after they are signed off and modifications be tracked as amendments.\n      (4.2.7)\n User Authorization and Access Controls\n\n   6) Requires the use of user IDs and passwords to restrict unauthorized access to EHRs. (4.2.3)\n   7) Requires the use of a provider\xe2\x80\x99s National Provider Identifier to restrict EHR access and track updates to EHRs by author.\n      (4.2.2)\n   8) Requires that EHR technology support an \xe2\x80\x9cauditor\xe2\x80\x9d class of user to have read-only access to patient records. (4.2.8)\n Data Transfer Standards\n   9) Requires that a document ID tracking number be generated and attached to an EHR any time an EHR is exported (i.e.,\n      printed or electronically communicated). (4.2.9)\n   10) Requires that EHRs be exchanged using certain data standards (encryption) to ensure that data have not been altered\n       during the transmission. (4.2.13)\n   11) Requires that EHR technology have the capacity to directly capture clinical information in structured and coded data and\n       not impact EHR user productivity. (4.2.12)\n Patient Involvement in Anti-Fraud\n   12) Requires that patients be able to access and comment within their EHRs. (4.2.10)\n\n Other\n   13) Requires that information transmitted for payment of claims be accurately linked and tracked to the appropriate EHR.\n       (4.2.14)\n   14) Requires that EHR technology not prompt an EHR user to add documentation but be able to alert a user to\n       inconsistencies between documentation and coding. (4.2.5)\n\n\n Source: OIG analysis of RTI\xe2\x80\x99s recommended requirements for enhancing data quality in EHR systems, 2013.\n\n\n\n\n Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)                4\n\x0c                  Audit Functions. Audit functions, such as audit logs, track access and\n                  changes within a record chronologically by capturing data elements, such\n                  as date, time, and user stamps, for each update to an EHR. An audit log\n                  can be used to analyze historical patterns that can identify data\n                  inconsistencies. To provide the most benefit in fraud protection, audit logs\n                  should always be operational while the EHR is being used and be stored as\n                  long as clinical records. Users should not be able to alter or delete the\n                  contents of the audit log.\n                  User Authorization and Access Controls. Access controls are policies and\n                  EHR technology features that require unique identifiers, passwords, and\n                  user authentication to help prevent inappropriate access to EHRs. Such\n                  access controls discourage fraud schemes that involve stealing provider\n                  and patient information to submit false claims. These controls can also\n                  validate claims by verifying that services align with provider profiles\n                  associated with unique identifiers.\n                  Data Transfer Standards. These standards are technology features that\n                  restrict the printing, transferring, or exporting of EHR data by requiring a\n                  distinct authorization and additional documentation and tracking elements.\n                  Unrestricted export of EHRs could make patient information readily\n                  available to create fraudulent claims.\n                  Patient Involvement in Anti-Fraud. EHR technology can allow patients to\n                  view their medical records and make comments in their EHRs. Patients\n                  may be able to help detect potentially fraudulent activity by identifying\n                  errors and validating the services that they receive from their providers.\n                  In addition, these 14 recommendations can be broken down into\n                  60 individual criteria, one-third of which focus on audit log functions and\n                  features, highlighting audit logs as an important fraud safeguard.\n                  Although ONC posted RTI\xe2\x80\x99s recommendations on its Web site, its\n                  certification criteria and CMS\xe2\x80\x99s meaningful use measures do not\n                  specifically address all of RTI recommendations. For example, RTI lists\n                  detailed requirements for the functions that the audit log should be able to\n                  perform. Although ONC certification criteria require that certified EHRs\n                  have an audit log, they do not require it to be operational at all times as\n                  recommended by RTI. (See Appendix A for a summary of RTI\xe2\x80\x99s\n                  14 requirements and general consistency with ONC certification criteria or\n                  CMS meaningful use objectives).\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   5\n\x0c                  Related Office of Inspector General Work\n                  The Office of Inspector General (OIG) will release a companion report to\n                  this one that describes the program integrity practices CMS and its\n                  contractors have implemented in light of EHR adoption.15 OIG considers\n                  the effective use of data and technology, including EHRs, to be a top\n                  management challenge facing the Department and its operating divisions.16\n                  In 2012, OIG released a report on physicians\xe2\x80\x99 reported use of EHR\n                  technology that found that 57 percent of Medicare physicians used an\n                  EHR at their primary practice locations in 2011. Additionally, three of\n                  every four Medicare physicians with an EHR system used a certified\n                  system to document evaluation and management services. 17 OIG is\n                  currently determining the extent to which documentation errors were\n                  facilitated by using EHR technology.18\n                  In 2012, OIG released a study that found that CMS faces obstacles to\n                  overseeing the Medicare EHR incentive program that leave the program\n                  vulnerable to paying incentives to professionals and hospitals that do not\n                  fully meet the meaningful use requirements.19\n                  In 2011, OIG released an audit of information technology (IT) controls in\n                  health IT standards. OIG found that ONC EHR certification criteria\n                  focused on IT security application controls for communication between\n                  EHR systems, but did not include basic, general IT security controls.20\n\n\n\n\n                  15\n                     OIG, CMS and Its Contractors Have Adopted Few Program Integrity Practices To\n\n                  Address Vulnerabilities in EHRs, OEI-01-11-00571, in progress. \n\n                  16\n                     OIG, 2012 Top Management and Performance Challenges, 2012. \n\n                  17\n                     OIG, Use of Electronic Health Record Systems in 2011Among Medicare Physicians\n\n                  Providing Evaluation and Management Services, OEI-04-10-00184, June 2012. \n\n                  18\n                     OIG, OEI-04-10-00182, in progress.\n                  19\n                     OIG, Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare\n                  EHR Incentive Program, OEI-05-11-00250, November 2012.\n                  20\n                     OIG, Audit of Information Technology Security Included in Health Information\n                  Technology Standards, A-18-09-30160, May 2011.\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   6\n\x0c                  METHODOLOGY\n                  SCOPE\n                  This study determined the extent to which hospitals that received EHR\n                  Medicare incentive payments between January 2011 and March 2012\n                  implemented safeguards to protect against health care fraud. This study\n                  also assessed the extent that hospitals have implemented copy-paste\n                  policies.\n                  Data Sources\n                  Hospital Questionnaires: We administered an online questionnaire to\n                  864 hospitals between October 2012 and January 2013 to learn about the\n                  Certified EHR Technology hospitals are using. We obtained a list from\n                  CMS of all hospitals (877) that received Medicare incentive payments for\n                  demonstrating meaningful use of Certified EHR Technology as of March\n                  2012. The questionnaire focused on the presence of features and\n                  capabilities in Certified EHR Technology based on the RTI-recommended\n                  safeguards regarding audit logs, EHR access, and EHR data transfer. The\n                  questionnaire also asked about barriers to adopting selected RTI\n                  recommended fraud and abuse safeguards. Prior to our data collection, we\n                  reviewed the RTI recommendations with ONC, CMS, and external\n                  stakeholders and confirmed that these recommendations were relevant and\n                  appropriate. We had a 95-percent response rate. See Appendix B for a\n                  nonrespondent analysis.\n                  Hospital Site Visits: We chose eight hospitals for site visits on the basis of\n                  geographic diversity, number of beds, and ownership type. While onsite,\n                  we conducted structured interviews with hospital staff and observed a\n                  demonstration of the hospitals\xe2\x80\x99 Certified EHR Technology. We conducted\n                  site visits in August and September 2012.\n                  EHR Vendor Interviews: We conducted structured interviews with four\n                  EHR vendors that develop Certified EHR Technology products for\n                  hospitals. We selected five EHR vendors that together represented at least\n                  50 percent of the market share of Certified EHR Technology products\n                  used in hospitals that received Medicare incentive payments. We removed\n                  one EHR vendor/health care company from our sample because its\n                  products were not commercially available and were designed for its own\n                  health care facilities. We asked EHR vendors about the extent to which\n                  they had incorporated recommended fraud and abuse safeguards into their\n                  products. We had a 100-percent response rate to our request for\n                  interviews.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   7\n\x0c                  Limitations\n                  Our analysis used self-reported data from hospitals and EHR vendors. We\n                  did not independently verify their responses. This study did not assess\n                  whether individual EHR technology products were capable of\n                  implementing RTI recommendations. We also did not verify that\n                  hospital\xe2\x80\x99s EHR technology met ONC certification criteria as all the\n                  hospitals we surveyed attested to using ONC certified technology. In\n                  addition, we did not address vulnerabilities associated with hardware or\n                  those covered under the Health Insurance Portability and Accountability\n                  Act of 1996 (HIPAA) Security Rule.\n                  Our analysis did not assess each of the 60 individual criteria specified in\n                  the 14 recommendations that RTI developed. Changes in EHR technology\n                  made some criteria less relevant to our assessment than when they were\n                  developed 6 years ago.\n                  Standards\n                  This study was conducted in accordance with the Quality Standards for\n                  Inspection and Evaluation issued by the Council of the Inspectors General\n                  on Integrity and Efficiency.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   8\n\x0c                  FINDINGS\n                  Nearly all hospitals with EHR technology had\n                  RTI-recommended audit functions in place, but they\n                  may not be using them to their full extent\n                  Ninety-six percent of hospitals reported that their audit logs remain\n                  operational at all times despite reporting barriers, including limited human\n                  resources, a lack of vendor-provided audit log user guides, and inadequate\n                  training on audit log functionality. Audit logs monitor user activity and\n                  are an important tool against fraud in EHRs. They are so important that\n                  one-third of RTI\xe2\x80\x99s recommended safeguards concern audit log operation\n                  and content.\n                  Hospitals\xe2\x80\x99 EHR audit logs captured most RTI-recommended\n                  data\n                  Generally, hospitals\xe2\x80\x99 audit logs captured the RTI-recommended data for\n                  each entry or access to the EHR, modification to the EHR, and signature\n                  event.21 Almost all hospitals\xe2\x80\x99 audit logs recorded the date and time of\n                  entry, the user identification, and the type of access to the EHR (e.g.,\n                  creating, editing, viewing). See Table 2 for details on the data that\n                  hospitals\xe2\x80\x99 EHR audit logs capture.\n                  Fewer hospitals\xe2\x80\x99 audit logs captured data when an EHR user released an\n                  encounter for billing, exported or imported an EHR document, or disabled\n                  the audit log. In addition, hospital audit logs are less likely to record the\n                  method of data entry (e.g., direct text entry, speech recognition,\n                  automated) or the original date, time, and user identification when data are\n                  copy-pasted.\n\n\n\n\n                  21\n                       A signature event is the proactive or auto default completion of a patient encounter.\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)        9\n\x0cTable 2: Percentage of Hospitals That Report Their Audit Logs Capture RTI-Recommended\nData\n\n                                                                                                Percentage of Hospitals\xe2\x80\x99\n    When Data Are Recorded\n                                                                                                             Audit Logs\n\n    Each entry or access to an EHR                                                                                 99%\n    Each time a user modifies an EHR                                                                               99%\n    Each signature event (proactive or automatic completion of an encounter)                                       92%\n    Each time a user releases an encounter for billing                                                             85%\n    Each export of an EHR document                                                                                 81%\n    Each import of an EHR document                                                                                 79%\n    Each time a user disables the audit log                                                                        61%\n\n                                                                                                Percentage of Hospitals\xe2\x80\x99\n    What Data Are Recorded\n                                                                                                             Audit Logs\n\n    Date, time, and user identification                                                                           100%\n    Access type (creating, editing, or viewing data)                                                               96%\n    Synchronized network time protocol                                                                             80%\n    Data, time, user ID of original author when data are entered on behalf of another                              67%\n    Internet protocol address (i.e., location of user accessing EHR)                                               61%\n    Date, time, user ID of original author when data are copied                                                    49%\n    The method used when data are entered into the EHR (such as direct text entry,\n                                                                                                                   44%\n    speech recognition, automated, copy-paste)\n    National Provider Identifier                                                                                   33%\n\n                                                                                            .\n Source: OIG analysis of hospitals\xe2\x80\x99 responses to Certified EHR Technology questionnaire, 2012\n\n\n\n\n                       Most hospitals stored audit log data according to RTI\n                       recommendations\n                       Some EHR vendors we spoke with stated that costs associated with\n                       additional storage space for audit logs may be a challenge for some\n                       hospitals; nevertheless, 67 percent of hospitals reported storing audit log\n                       data indefinitely. Only 10 percent of hospitals reported storing audit log\n                       data for less than 5 years. See Table 3 for how long hospitals reported\n                       storing audit log data. One vendor explained that it was easy to add\n                       storage space and discontinue collecting redundant or less useful audit log\n                       data to increase storage capacity. Several hospitals reported archiving\n                       audit log data prior to deleting them from their servers, which saves space\n                       and improves system processing speeds. RTI recommends that hospitals\n                       store audit log data as long as clinical records. This is important so that\n                       audit log data are available for fraud detection.\n\n\n\n\n Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)                   10\n\x0c             Table 3: Length of Time Hospitals Reported Storing Audit Log Data\n\n                           Length of Time Audit               Percentage of\n                           Log Data Are Stored                    Hospitals\n\n                           \xe2\x89\xa4 12 months                                     5%\n\n                           1-5 years                                       5%\n\n                           6-10 years                                      9%\n\n                           \xe2\x89\xa5 11 years                                      1%\n\n                           Indefinitely                                   67%\n\n                           Other                                          13%\n\n                                                                                                             .\n                  Source: OIG analysis of hospitals\xe2\x80\x99 responses to Certified EHR Technology questionnaire, 2012\n\n\n                  Hospitals\xe2\x80\x99 control over audit logs may be at odds with their RTI-\n                  recommended use as fraud safeguards\n                  RTI recommends that EHR users not be allowed to delete the contents of\n                  their audit log so that data are always available for fraud detection, yet\n                  nearly half of hospitals (44 percent) reported that they can delete their\n                  audit logs. Although these hospitals reported that they limit the ability to\n                  delete the audit log to certain EHR users, such as system administrators,\n                  one EHR vendor noted that any software programmer could delete the\n                  audit log.\n                  RTI recommends that the ability to disable the audit log be limited to\n                  certain individuals, such as system administrators, and that EHR users,\n                  such as doctors and nurses, be prevented from editing the contents of the\n                  audit log because these actions can compromise the audit log\xe2\x80\x99s\n                  effectiveness. Hospitals reported they have the ability to disable\n                  (33 percent) and edit (11 percent) their audit logs, although they reported\n                  restricting those abilities to certain EHR users, such as system\n                  administrators or EHR vendors. All four EHR vendors we spoke with\n                  reported that the audit logs cannot be disabled in their products, but one\n                  vendor again noted that a programmer could disable the audit log.\n\n                  Most hospitals reported analyzing audit log data; however, their\n                  efforts appeared limited to ensuring privacy of patient data\n                  rather than detecting and preventing fraud and abuse\n                  None of the hospitals we visited analyzed their audit logs to prevent or\n                  detect fraud, such as by identifying duplicate or fraudulent claims and\n                  inflated billing. Rather, all eight hospitals we visited described their audit\n                  log analyses as focused on privacy, such as detecting unauthorized\n                  viewing of an EHR of a celebrity, family member, or hospital employee.\n                  EHR vendors confirmed that their hospitals use the audit log as a HIPAA\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)          11\n\x0c                  compliance tool rather than a tool to detect fraud. One vendor reported\n                  that hospitals were generally not aware of all the audit log features\n                  available to them. For example, all four EHR vendors explained that they\n                  provide standard product implementation and training and that hospitals\n                  do not commonly ask for additional audit log training.\n                  Most hospitals (95 percent) reported that they analyze audit log data.\n                  Forty-six percent of hospitals reported analyzing audit logs monthly, and\n                  26 percent of hospitals conducted analysis on an as-needed basis.\n                  Hospitals cited barriers to analyzing audit logs, including limited human\n                  resources, a lack of vendor-provided user guides for audit log\n                  functionality, inadequate training on audit logs, and the inability to\n                  interpret audit log data.\n\n                  All hospitals employed a variety of RTI-recommended\n                  user authorization and access controls\n                  All hospitals reported that they authenticate EHR users via a unique user\n                  identification and password. Some hospitals had implemented stronger\n                  user authentication tools, such as tokens (21 percent of hospitals), public\n                  key infrastructure (14 percent), and biometrics (7 percent). 22 Hospitals\n                  also reported implementing additional safeguards to ensure appropriate\n                  access to the EHRs. Over 98 percent of hospitals had implemented\n                  automatic user logoffs after a set period of time, minimum user password\n                  configurations, and user agreements to access EHR technology. Eighty-\n                  six percent of hospitals required users to regularly change passwords. RTI\n                  recommends that EHR technology support strong user access\n                  authentication safeguards that evolve as technology advances to limit\n                  inappropriate access to EHRs.\n                  Eighty-six percent of hospitals allowed outside entities to access their\n                  EHR data. Hospitals may define outside entities differently to include a\n                  variety of individuals and organizations, such as insurance companies,\n                  auditors, hospital-contracted provider groups, and physicians. Hospitals\n                  allowed both remote and onsite access depending on the relationships and\n                  reasons for access. All but one of the hospitals we visited allowed hospital\n                  physicians remote access to the EHR system, although the access\n                  privileges varied. Some of these hospitals limited access to certain\n                  patients or to view-only screens.\n\n\n\n                  22\n                    Tokens may include a series of randomly generated numbers, biometrics include\n                  fingerprint or retinal scans, and public key infrastructure is a high-level encryption\n                  standard.\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)    12\n\x0c                  Nearly all hospitals that allowed outside entities to access their EHR data\n                  tracked access via a unique identifier (99 percent), and nearly as many\n                  limited outside entity access (95 percent). In addition, 96 percent did not\n                  allow outside entities access to the audit logs. Five of the hospitals we\n                  visited allowed outside entities access although they limited access to\n                  specific patients, claims, or information and allowed view-only access.\n                  RTI recommends that certain outside entities have limited access to EHR\n                  data to allow for a greater ability to detect fraud.\n\n                  Nearly all hospitals were using RTI-recommended data\n                  transfer safeguards\n                  Eighty-eight percent of hospitals reported having limits on which EHR\n                  users can export, transfer, or print EHR data. However, only 27 percent of\n                  hospitals reported that they require users to provide a reason before\n                  exporting, transferring, or printing EHR data. RTI recommends\n                  safeguards to restrict the export, transfer, or printing of EHR data so that\n                  patient information is not readily available to create fraudulent claims.\n\n                  Almost half of hospitals had begun implementing RTI-\n                  recommended tools to include patient involvement in\n                  anti-fraud efforts\n                  Forty-three percent of hospitals reported that they allow patients to view\n                  either components of their EHRs or their entire EHRs electronically.\n                  Hospitals and EHR vendors we spoke with revealed that hospitals were\n                  beginning to implement patient access features to achieve Meaningful Use\n                  Stage 2. Few hospitals had implemented additional features to allow\n                  patients a stronger role in detecting fraud. For example, 9 percent of\n                  hospitals allowed patients to comment in their EHRs, to view the entities\n                  to which the hospitals released their EHRs, or to view entities that\n                  accessed their EHRs. RTI recommends that patients have access to their\n                  EHRs and the ability to comment in their EHRs. This could enable\n                  patients to detect fraud by identifying errors and validating the services\n                  that they received.\n                  Hospitals reported several barriers to allowing patients\xe2\x80\x99 access to their\n                  EHRs, including the inability of EHR technology to support the capability,\n                  the inability to integrate with existing systems, funding restrictions,\n                  resistance from physicians, and concerns with patient privacy. EHR\n                  vendors echoed some of these barriers. According to one EHR vendor we\n                  spoke with, physicians are especially hesitant to allow patients to\n                  communicate to providers and comment in the EHRs. Another EHR\n                  vendor told us that its small rural hospitals lack the patient demand for\n                  such a feature. Finally, one EHR vendor explained that providing patient\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   13\n\x0c                  access tends to be one of the last features a hospital implements after\n                  focusing on initiating other EHR functions.\n\n                  Only about one quarter of hospitals had policies\n                  regarding the use of the copy-paste feature in EHR\n                  technology\n                  Although the copy-paste feature in EHRs can enhance efficiency of data\n                  entry, it may also facilitate attempts to inflate, duplicate, or create\n                  fraudulent health care claims. RTI acknowledges the potential for misuse\n                  of the copy-paste feature in EHRs and suggests that specific warnings\n                  directed to EHR users be considered. Further, RTI recommends that the\n                  use of such tools be captured in the audit log. However, only 24 percent\n                  of hospitals had policies in place regarding use of copy-paste, and only\n                  44 percent of hospital audit logs recorded the method of data entry\n                  (e.g., copy-paste, direct text entry, speech recognition) when data are\n                  entered into the EHR.\n                  Even the hospitals that had policies seemed to have limited control over\n                  the use of the copy-paste feature. Most of these hospital policies\n                  (61 percent) shifted the responsibility to the EHR user to confirm that any\n                  copied-pasted data were accurate. Twenty-two percent of hospitals\xe2\x80\x99\n                  policies advised EHR users to avoid \xe2\x80\x9cindiscriminately copy-pasting,\xe2\x80\x9d and\n                  21 percent of policies required EHR users to cite the original source of the\n                  copied-pasted data. In addition, 51 percent of hospitals reported that they\n                  are unable to customize the copy-paste feature in their EHR technology,\n                  for example, by restricting its use or disabling it. Furthermore, the EHR\n                  vendors we spoke with explained that the copy-paste feature cannot be\n                  disabled or altered. One EHR vendor offered that it discourages hospitals\n                  from copy-pasting progress notes or copy-pasting identical text in records\n                  of multiple patients.\n                  Copy-paste is most useful with facilitating data entry of physicians\xe2\x80\x99\n                  progress notes; however, few hospitals had fully implemented that\n                  function. Only 4 percent of hospitals reported they had fully implemented\n                  electronic progress notes. Most hospitals (73 percent) reported having a\n                  combination of electronic and handwritten or dictated physician progress\n                  notes. Although this feature may enhance efficiency, it is vulnerable to\n                  fraudulent use.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   14\n\x0c                  CONCLUSION AND RECOMMENDATIONS\n                  In the Department of Health and Human Services\xe2\x80\x99 efforts to promote EHR\n                  adoption, it focused largely on developing criteria, defining meaningful\n                  use, and administering incentive payments. It gave less attention to the\n                  risks EHRs may pose to program integrity of Federal health care\n                  programs. Although ONC contracted with RTI to develop a list of\n                  recommended safeguards for EHR technology, the Department did not\n                  directly address all of these safeguards through certification criteria or\n                  meaningful use requirements. This review found that, on their own\n                  initiative, hospitals were employing EHR fraud and abuse safeguards to\n                  varying degrees. However, the Department must do more to ensure that\n                  all hospitals\xe2\x80\x99 EHRs contain safeguards and that hospitals use them to\n                  protect against electronically enabled health care fraud.\n                  We recommend that:\n                  Audit logs be operational whenever EHR technology is\n                  available for updates or viewing\n                  Stage 2 EHR Technology Certification Criteria state that the audit log\n                  must be set by default at the point of installation to record the data\n                  specified in the standard. However, providers may disable the audit log at\n                  any point. The Department should ensure that providers cannot or do not\n                  disable audit logs whenever EHR technology is available for updates or\n                  viewing. Requiring that audit logs be operational in this manner\n                  reinforces their importance and conveys the Department\xe2\x80\x99s expectation that\n                  they will be used to detect fraud and abuse. To that end, we offer two\n                  options:\n                      \xef\x82\xb7\t ONC could propose a change to its EHR certification criteria,\n                         through rulemaking, to require that EHR technology keep the audit\n                         log operational whenever the EHR technology is available for\n                         updates or viewing.\n                      \xef\x82\xb7\t Alternatively, CMS could update its meaningful use criteria to\n                         require providers to keep the audit log operational whenever EHR\n                         technology is available for updates or viewing.\n                  ONC and CMS strengthen their collaborative efforts to develop\n                  a comprehensive plan to address fraud vulnerabilities in EHRs\n                  The Department has a responsibility to address the risks that EHRs pose to\n                  program integrity for Federal health programs. Toward that end, in May\n                  2013, ONC and CMS jointly convened stakeholders to discuss appropriate\n                  coding in an electronic environment. This is a promising start, and they\n                  should build on it to develop a formal strategy aimed at detecting and\n                  reducing fraud in EHRs.\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   15\n\x0c                  In July 2013, ONC released the Health IT Safety Action and Surveillance\n                  Plan, which integrated the efforts of ONC, CMS, and the Agency for\n                  Healthcare Research and Quality to make patient care safer through the\n                  use of health IT.23 ONC and CMS could use this approach to develop a\n                  strategy to detect and reduce fraud in EHRs. It may also offer the\n                  Department the opportunity to establish clear responsibility for program\n                  integrity among the agencies that run its health IT programs.\n                  CMS develop guidance on the use of the copy-paste feature in\n                  EHR technology\n                  Because many hospitals cannot customize the copy-paste feature in EHR\n                  technology, the need for policies to govern its use is elevated. The copy-\n                  paste feature can be used appropriately and enhance efficiency; however,\n                  this feature also poses risks. CMS should work with ONC and hospitals to\n                  develop guidelines for using the copy-paste feature in EHR technology.\n                  Specifically, CMS should consider whether the risks of some copy-paste\n                  practices outweigh their benefits. For example, CMS could provide\n                  guidance to hospitals on copy-pasting identical text in records of multiple\n                  patients.\n\n\n\n\n                  23\n                    ONC, Health Information Technology Patient Safety Action & Surveillance Plan for\n                  Public Comment, December 21, 2012. Accessed at www.healthit.gov on May 2, 2013.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   16\n\x0c                  AGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\n                  RESPONSE\n                  CMS and ONC concurred with all three of our recommendations.\n                  To address our recommendation that the audit log be operational at all\n                  times, ONC will propose the appropriate revision to the auditable events\n                  certification criteria in the next available and relevant rulemaking cycle.\n                  CMS responded that it supports ONC\xe2\x80\x99s development of certification\n                  criteria toward this goal.\n                  To address our recommendation about developing a comprehensive plan\n                  to address fraud vulnerabilities in EHRs, ONC stated that it was\n                  committed to providing technical assistance to other Federal agencies with\n                  health care fraud enforcement authority. CMS commented that it audits\n                  hospitals to ensure the integrity of the EHR incentive payments.\n                  However, our recommendation concerned plans to address fraud\n                  vulnerabilities directly related to Medicare health claims. We ask CMS to\n                  address these vulnerabilities in its final management decision\n                  To address our final recommendation that CMS develop guidance on the\n                  use of the copy-paste feature, CMS stated that it will develop guidelines to\n                  ensure that this feature is used to appropriately.\n                  For a full text of CMS and ONC\xe2\x80\x99s comments, see Appendix C.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   17\n\x0c                      APPENDIX A\n                      RTI Recommendations and General Consistency With ONC\n                      Certification Criteria or CMS Meaningful Use\nRTI Recommendation        Description                                 General Consistency With ONC Certification Criteria or CMS\n                                                                      Meaningful Use Objectives\n\nAudit Functions\n\n1)   Audit Functions      Requires the use of an audit log function   Certified EHR Technology is required to have an audit log that can\n     and Features         and specifies audit log operation and       be disabled only by authorized users, cannot be altered or deleted,\n                          content for tracking EHR updates.           and must be enabled by default but is not required to be operational\n                                                                      at all times. 45 CFR \xc2\xa7 170.314(d)(2)\n\n2)   Documentation        Requires that the methods (i.e.,            ONC certification criteria and CMS meaningful use objectives do not\n     Process Issues       copy/paste, direct entry, import) for any   specifically address this requirement.\n                          update to an EHR be documented and\n                          tracked.\n\n3)   Proxy Authorship     Requires that the user ID of the original   ONC notes that Certified EHR Technology is required to be capable\n                          author be tracked when an EHR update        of assigning the type of access and the actions the user can perform\n                          is entered \xe2\x80\x9con behalf\xe2\x80\x9d of another author.   based on unique identifier(s). 45 CFR \xc2\xa7 170.314 (d)(1)\n                          (i.e., distinguish between entries made\n                                                                      However, ONC certification criteria and CMS meaningful use\n                          by an assistant and a provider.)\n                                                                      objectives do not specifically address this requirement.\n\n4)   Record               Requires that original EHR documents        Certified EHR Technology is required to have an audit log that tracks\n     Modification After   be retained after they are signed off and   when a user makes any changes to a record (with pointer to original\n                          modifications be tracked as                 state). In addition, for patient-supplied information, EHR Technology\n     Signature\n                          amendments.                                 must allow users to select the record and append the amendment.\n                                                                      45 CFR \xc2\xa7 170.210(h); 45 CFR \xc2\xa7 170.314(d)(4)\n\n5)   Patient Identity-    Requires that EHR technology be able to     ONC notes that Certified EHR Technology is required, through an\n     Proofing             record and indicate the method used to      electronic exchange, to properly match a transition of care/referral\n                          confirm patient identity (i.e., photo       summary to the correct patient when a patient is transferred or\n                          identification, prior relationship).        referred to another care setting. 45 CFR 170.314(b)(1)(iii)(A)\n\n                                                                      However, ONC certification criteria and CMS meaningful use\n                                                                      objectives do not specifically address this requirement.\n\nUser Authorization and Access Controls\n\n6)   Provider             Requires the use of a provider\xe2\x80\x99s NPI to     Certified EHR Technology is required to verify against unique\n     Identification       restrict EHR access and track updates to    identifier(s) that a person seeking access is the one claimed. The\n                          EHRs by author.                             type of access and the actions the user can perform must be based\n                                                                      on unique identifier(s). EHR technology must also record actions of\n                                                                      user. 45 CFR \xc2\xa7 170.314 (d)(1); 45 CFR \xc2\xa7 170.314 (d)(2)\n\n7)   User Access          Requires the use of user IDs and            Certified EHR Technology is required to verify against unique\n     Authorization        passwords to restrict unauthorized          identifier(s) that a person seeking access is the one claimed. The\n                          access to EHRs.                             type of access and the actions the user can perform must be based\n                                                                      on unique identifier(s). 45 CFR \xc2\xa7 170.314 (d)(1)\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)                  18\n\x0c8)   Auditor Access to    Requires that EHR technology support        ONC notes that Certified EHR Technology is required to be capable\n     Patient Record       an \xe2\x80\x9cauditor\xe2\x80\x9d class of user to have read-    of assigning the type of access and the actions the user can perform\n                          only access to patient records.             based on unique identifier(s). 45 CFR \xc2\xa7 170.314 (d)(1)\n\n                                                                      However, ONC certification criteria and CMS meaningful use\n                                                                      objectives do not specifically address this requirement.\n\nData Transfer Standards\n\n9)   EHR Traceability     Requires that a document ID tracking        ONC notes that Certified EHR Technology is required to have an\n                          number be generated and attached to an      audit log that tracks when health information is printed, copied, or\n                          EHR any time an EHR is exported (i.e.,      queried. EHR technology is also required, through an electronic\n                          printed or electronically communicated).    exchange, to properly match the transition of care/referral summary\n                                                                      to the correct patient when a patient is transferred or referred to\n                                                                      another care setting. 45 CFR 170.314(b)(1)(iii)(A).\n\n                                                                      However, ONC certification criteria and CMS meaningful use\n                                                                      objectives do not specifically address this requirement.\n\n10) Structured and        Requires that EHR technology have the       ONC certification criteria generally require structured and coded data\n     Coded Data           capacity to directly capture clinical       for certain information, including among other data, problem lists,\n                          information in structured and coded data    demographics, smoking status, and laboratory test results, and CMS\n                          and not impact EHR user productivity.       meaningful use objectives require that data be recorded in structured\n                                                                      form in order to meet certain objectives.\n\n11) Integrity of EHR      Requires that EHRs be exchanged using       Certified EHR Technology must create a message digest and verify\n     Transmission         certain data standards (encryption) to      upon receipt of electronically exchanged health information that such\n                          ensure data have not been altered           information has not been altered as specified in 45 CFR \xc2\xa7170.210(c).\n                          during the transmission.                    45 CFR \xc2\xa7170.314(d)(8); 45 CFR \xc2\xa7170.314(d)(7); 45 CFR\n                                                                      \xc2\xa7170.314(d)(2)(ii)(c)\n\nPatient Involvement in Anti-Fraud\n\n12) Patient               Requires that patients be able to access    Certified EHR Technology is required to provide patients with an\n     Involvement in       and comment within their EHRs.              online means to view, download, and transmit specified data to a\n                                                                      third party. In an ambulatory setting, EHR technology must enable a\n     Anti-Fraud\n                                                                      user to electronically send and receive messages from a patient. In\n                                                                      addition, for patient-supplied information, EHR technology must allow\n                                                                      users to select the record and append the amendment. 45 CFR\n                                                                      \xc2\xa7170.314(e)(1); 45 CFR \xc2\xa7 170.314(e)(3); 45 CFR \xc2\xa7 170.314 (d)(4)\n\n                                                                      Meaningful use requires that more than 50 percent of patients be\n                                                                      allowed online access to their health information within 36 hours of\n                                                                      discharge from the hospital. 42 CFR \xc2\xa7\xc2\xa7 495.6(12)(ii)(B)\n\nOther\n\n13) Accurate Linkage      Requires that information transmitted for   ONC certification criteria and CMS meaningful use objectives do not\n     of Claims to         payment of claims be accurately linked      specifically address this requirement.\n                          and tracked to the appropriate EHR.\n     Clinical Records\n14) Evaluation and        Requires that EHR technology not            ONC certification criteria and CMS meaningful use objectives do not\n     Management           prompt an EHR user to add                   specifically address this requirement.\n                          documentation but be able to alert a user\n     Coding\n                          to inconsistencies between\n                          documentation and coding.\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)                  19\n\x0c                  APPENDIX B\n                  Nonrespondent Analysis\n                  A consideration in surveys or data collection efforts of this type is whether\n                  the results may be biased by significant differences between respondents\n                  and nonrespondents. To determine whether significant differences exist in\n                  this data collection effort, we compared respondents and nonrespondents\n                  by whether or not the hospital was a critical access hospital, the State the\n                  hospital is located in, and the ownership type of the hospital (i.e., profit,\n                  nonprofit, religious organization, physician owned).\n                  We achieved a 95-percent response rate with respect to the hospitals\n                  sampled. As a result, we had 832 responses and 45 nonresponses to use\n                  for this analysis.\n                  Our analysis suggests that our survey results were not biased with regard\n                  to those variables. A chi-square test showed no relationship between\n                  respondents and nonrespondents with respect to whether the hospital was a\n                  critical access hospital. In addition, there were no patterns in frequency\n                  counts between respondents and nonrespondents for the State the hospital\n                  was located in or the ownership type of the hospital.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   20\n\x0c                  APPENDIXC\n                  Agency Comments\n                  CMS Comments\n\n\n\n                     DEPARTMENT OF HEALTH & HUMAN SERVICES                                     Centers lor Medical\'!! & Medicaid Servic\n\n\n                                                                                               Administrator\n                                                              NOV -1 2013                      "Wallllnglon, DC 20201\n\n\n\n\n                    TO: \t          Daniel R. Levinson\n                                   Inspector General\n\n                    FROM: \t        Marilyn Tavenner     /S/\n                                   Administrator\n\n                    SUBJECT: Office of Inspector General (OIG) Draft Report: "Not All Recommended Fraud\n                    Safeguards Have Been Implemented in Hospital EHR Technology," OEI-Ol-ll-00570\n\n                     Thank you for the opportunity to review and comment on the above referenced OIG draft report.\n                     The Centers for Medicare & Medicaid Services (CMS) appreciates the contributions by, and\n                     valuable input from, the OIG. The draft report assessed how hospitals that received Medicare\n                     electronic health record (EHR) incentive payments had implemented recommended fraud\n                     safeguards for EHR technology. The information in the report will help inform our\n                     administration and oversight of the EHR Incentive Programs.\n\n                     CMS is committed to reducing fraud, waste, and abuse in the EHR Incentive Programs while\n                     ensuring that EHRs continue to improve the efficiency and effectiveness of patient care. CMS is\n                     conducting prepayment and postpayment audits to determine whether providers are properly\n                     receiving meaningful use incentive payments and complying with program rules. Audits of the\n                     EHR Incentive Program strengthen our program integrity oversight and help reduce improper\n                     payments. If an audit identifies potentially fraudulent activity, these are referred to our Center\n                     for Program Integrity for further investigation.\n\n                     The draft report contained three recommendations for CMS and the Department of Health and\n                     Human Services\' (HHS) Office of the National Coordinator for Health Information Technology\n                     (ONC). We address the CMS response to the recommendations below:\n\n                     OIG Recommendation 1:\n\n                     Audit logs be operational whenever EHR technology is available for updates or viewing.\n                     ONC could propose a change to its EHR certification criteria, through rulemaking, to require that\n                     EHR technology keeps the audit log operational whenever the EHR technology is available for\n                     updates or viewing.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11 -00570)                   21\n\x0cNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   22\n\x0cNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   23\n\x0c                      ONC Comments\n\n            ...,     ....\n                      ~\n\n               ""\'        ~\n                       ~~\n           (\n                   :::kt_         DEPAI<fMENI\'OFHEALTH & HUMAN SERVICES \t                                     Offitcoftlle Secretary\n                                                                                                              Offitc of the National Coordinator\n                                                                                                              for Health Information TcclmoloiY\n                                                                                                              Washington, D.C. 20201\n\n\n\n\n                          TO: \t          Daniel R. Levinson \n\n                                         Inspector General \n\n\n                          FROM: \t        Jacob Reider \n\n                                                         /S/\n                                         Acting N ational Coordinator \n\n\n                          SUB.JECT: The Offi ce of the National Coordinator for Health Information Technology\'s\n                          Comments to the Office of Inspector General\'s Draft Report Entitled, Not All\n                          Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,\n                          OEI-01-11-00570.\n\n                          Thank you for the opportunity to review and conunent on the findings and reconunendations in\n                          the Office of Inspector General\'s (OIG) draft report, Not All Recommended Fraud Safrguards\n                          Have Been Implemented in Hospital EHR Technology, OEI-01-ll-00570. The draft report\n                          addresses potential risks certified electronic health records technology may pose. ONC\n                          appreciates the OIG\'s efforts to improve program integrity and address fraud vulnerabilities.\n\n                          The subject evaluation relies heavily on a report, commissioned by ONC and delivered by RTI in\n                          2007, that identifies recommendations to address potential EHR vulnerabilities. While thoughtful\n                          input at the time, we note that some of this report\'s recommendations generated much debate in\n                          the stakeholder community and were not widely accepted or needed more evaluation as to their\n                          feasibility.\n\n                          This response letter addresses the two recommendations from the OIG report that were directed\n                          toONC.\n\n                          OIG Recommendation 1:\n\n                          Audit logs be operational whenever EHR technology is available for updates or viewing\n\n                          ONC Res ponse\n\n                          ONC concurs with the recommendation. However, we wish to make clear that we do not have\n                          statutory authority to regulate how health care providers use EHR technology once certified \xc2\xad\n                          such as prohibiting providers from modifying their EHR technology to enable certain\n                          functionality post-certification. Further, while testing could verify that an EHR technology\'s\n                          audit log is fi.mctioning properly and available, we are presently unsure of the feasibility and\n                          difficultly associated with "testing the negative" - that the audit log is never not operdtional \xc2\xad\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11 -00570)                                24\n\x0cNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   25\n\x0c                  ACKNOWLEDGMENTS\n                  This report was prepared under the direction of Joyce Greenleaf, Regional\n                  Inspector General for Evaluation and Inspections in the Boston regional\n                  office; Kenneth Price, Deputy Regional Inspector General; and Russell\n                  Hereford, Deputy Regional Inspector General.\n                  Danielle Fletcher served as the team leader for this study. Other Office of\n                  Evaluation and Inspections staff from the Boston regional office who\n                  conducted the study include Kimberly Yates. Central office staff who\n                  provided support include Kevin Manley, Clarence Arnold, and Christine\n                  Moritz.\n\n\n\n\nNot All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OEI-01-11-00570)   26\n\x0c                Office of Inspector General\n                                 http://oig.hhs.gov\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services\n(HHS) programs, as well as the health and welfare of beneficiaries served by those\nprograms. This statutory mission is carried out through a nationwide network of audits,\ninvestigations, and inspections conducted by the following operating components:\n\nOffice of Audit Services\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits\nexamine the performance of HHS programs and/or its grantees and contractors in carrying\nout their respective responsibilities and are intended to provide independent assessments of\nHHS programs and operations. These assessments help reduce waste, abuse, and\nmismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide\nHHS, Congress, and the public with timely, useful, and reliable information on significant\nissues. These evaluations focus on preventing fraud, waste, or abuse and promoting\neconomy, efficiency, and effectiveness of departmental programs. To promote impact, OEI\nreports also present practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations\nof fraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources\nby actively coordinating with the Department of Justice and other Federal, State, and local\nlaw enforcement authorities. The investigative efforts of OI often lead to criminal\nconvictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to\nOIG, rendering advice and opinions on HHS programs and operations and providing all\nlegal support for OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and\nadministrative fraud and abuse cases involving HHS programs, including False Claims Act,\nprogram exclusion, and civil monetary penalty cases. In connection with these cases, OCIG\nalso negotiates and monitors corporate integrity agreements. OCIG renders advisory\nopinions, issues compliance program guidance, publishes fraud alerts, and provides other\nguidance to the health care industry concerning the anti-kickback statute and other OIG\nenforcement authorities.\n\x0c'